opentiny · hexqi · May 14, 2025 · Dec 26, 2024 · Jan 7, 2025 · Jan 7, 2025
diff --git a/app/src/main/resources/sql/h2/create_all_tables_ddl_v1.h2.sql b/app/src/main/resources/sql/h2/create_all_tables_ddl_v1.h2.sql
@@ -41,11 +41,11 @@ create table `t_platform_history`
     `ref_id`              int          not null comment '关联主表id',
     `version`             varchar(255) not null comment '版本',
     `name`                varchar(255) not null comment '名称',
-    `publish_url`         varchar(255) not null comment '设计器静态资源托管地址',
+    `publish_url`         varchar(255)  comment '设计器静态资源托管地址',
     `description`         varchar(2000) comment '描述',
     `vscode_url`          varchar(255) comment '设计预留字段',
     `material_history_id` int          not null comment '关联物料包历史id',
-    `sub_count`           int          not null comment '设计预留字段',
+    `sub_count`           int          comment '设计预留字段',
     `material_pkg_name`   varchar(255) comment '物料包名称',
     `material_version`    varchar(255) comment '物料包版本',
     `image_url`           varchar(255) comment '封面图地址',

diff --git a/app/src/main/resources/sql/h2/update_all_tables_ddl.sql b/app/src/main/resources/sql/h2/update_all_tables_ddl.sql
@@ -1,2 +1,8 @@
 ALTER TABLE t_component DROP INDEX u_idx_component;
-ALTER TABLE t_component ADD INDEX u_idx_component (tenant_id, name_en, version, library_id);
+ALTER TABLE t_component ADD INDEX u_idx_component (tenant_id, name_en, version, library_id);
+
+ALTER TABLE t_datasource DROP INDEX u_idx_datasource;
+ALTER TABLE t_datasource ADD INDEX u_idx_datasource (`tenant_id`, `platform_id`, `name`, `app_id`);
+
+ALTER TABLE t_platform_history MODIFY sub_count int NULL;
+ALTER TABLE t_platform_history MODIFY publish_url varchar(255) NULL;
diff --git a/app/src/main/resources/sql/mysql/create_all_tables_ddl_v1.mysql.sql b/app/src/main/resources/sql/mysql/create_all_tables_ddl_v1.mysql.sql
@@ -41,11 +41,11 @@ create table `t_platform_history`
     `ref_id`              int          not null comment '关联主表id',
     `version`             varchar(255) not null comment '版本',
     `name`                varchar(255) not null comment '名称',
-    `publish_url`         varchar(255) not null comment '设计器静态资源托管地址',
+    `publish_url`         varchar(255)  comment '设计器静态资源托管地址',
     `description`         varchar(2000) comment '描述',
-    `vscode_url`          varchar(255) comment '设计预留字段',
+    `vscode_url`          varchar(255)  comment '设计预留字段',
     `material_history_id` int          not null comment '关联物料包历史id',
-    `sub_count`           int          not null comment '设计预留字段',
+    `sub_count`           int          comment '设计预留字段',
     `material_pkg_name`   varchar(255) comment '物料包名称',
     `material_version`    varchar(255) comment '物料包版本',
     `image_url`           varchar(255) comment '封面图地址',

diff --git a/app/src/main/resources/sql/mysql/update_all_tables_ddl.sql b/app/src/main/resources/sql/mysql/update_all_tables_ddl.sql
@@ -1,2 +1,8 @@
 ALTER TABLE t_component DROP INDEX u_idx_component;
-ALTER TABLE t_component ADD INDEX u_idx_component (tenant_id, name_en, version, library_id);
+ALTER TABLE t_component ADD INDEX u_idx_component (tenant_id, name_en, version, library_id);
+
+ALTER TABLE t_datasource DROP INDEX u_idx_datasource;
+ALTER TABLE t_datasource ADD INDEX u_idx_datasource (`tenant_id`, `platform_id`, `name`, `app_id`);
+
+ALTER TABLE t_platform_history MODIFY sub_count int NULL;
+ALTER TABLE t_platform_history MODIFY publish_url varchar(255) NULL;
diff --git a/base/src/main/java/com/tinyengine/it/common/exception/ExceptionEnum.java b/base/src/main/java/com/tinyengine/it/common/exception/ExceptionEnum.java
@@ -235,7 +235,22 @@ public enum ExceptionEnum implements IBaseError {
     /**
      * Cm 322 exception enum.
      */
-    CM322("CM322", "调用接口失败");
+    CM322("CM322", "调用接口失败"),
+
+    /**
+     * Cm 323 exception enum.
+     */
+    CM323("CM323", "文件名长度范围为1-100，以数字或字母开头"),
+
+    /**
+     * Cm 324 exception enum.
+     */
+    CM324("CM324","文件名或路径无效"),
+
+    /**
+     * Cm 325 exception enum.
+     */
+    CM325("CM325","文件校验失败");
 
     /**
      * 错误码

diff --git a/base/src/main/java/com/tinyengine/it/common/utils/SecurityFileCheckUtil.java b/base/src/main/java/com/tinyengine/it/common/utils/SecurityFileCheckUtil.java
@@ -0,0 +1,178 @@
+/**
+ * Copyright (c) 2023 - present TinyEngine Authors.
+ * Copyright (c) 2023 - present Huawei Cloud Computing Technologies Co., Ltd.
+ *
+ * Use of this source code is governed by an MIT-style license.
+ *
+ * THE OPEN SOURCE SOFTWARE IN THIS PRODUCT IS DISTRIBUTED IN THE HOPE THAT IT WILL BE USEFUL,
+ * BUT WITHOUT ANY WARRANTY, WITHOUT EVEN THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR
+ * A PARTICULAR PURPOSE. SEE THE APPLICABLE LICENSES FOR MORE DETAILS.
+ */
+
+package com.tinyengine.it.common.utils;
+
+import cn.hutool.core.util.ObjectUtil;
+import com.tinyengine.it.common.exception.ExceptionEnum;
+import com.tinyengine.it.common.exception.ServiceException;
+import org.springframework.util.StringUtils;
+import org.springframework.web.multipart.MultipartFile;
+
+import java.io.File;
+import java.util.Map;
+import java.util.Objects;
+import java.util.regex.Pattern;
+
+/**
+ * The file check Utils.
+ *
+ * @since 2025-05-13
+ */
+public class SecurityFileCheckUtil {
+
+    private static final String REGX_FILE_NAME = "^[a-z0-9A-Z][^\\\\/:*<>|]+$";
+    private static final Pattern PATTERN_FILE_NAME = Pattern.compile(REGX_FILE_NAME);
+
+    /**
+     * Determine whether the file has cross path connections.
+     *
+     * @param dirOrFileName the dirOrFileName
+     * @return true or false
+     */
+    public static boolean checkPathHasCrossDir(String dirOrFileName) {
+        if (!dirOrFileName.contains("../") && !dirOrFileName.contains("/..")) {
+            if (!dirOrFileName.contains("..\\") && !dirOrFileName.contains("\\..")) {
+                return dirOrFileName.contains("./") || dirOrFileName.contains(".\\.\\") || dirOrFileName.contains("%00");
+            } else {
+                return true;
+            }
+        } else {
+            return true;
+        }
+    }
+
+    /**
+     * Type of inspection document.
+     *
+     * @param file the file
+     * @param fileTypeMap the fileTypeMap
+     * @return true or false
+     */
+    public static boolean checkFileType(MultipartFile file, Map<String, String> fileTypeMap) {
+        if (Objects.isNull(file) || fileTypeMap.isEmpty()) {
+            throw new ServiceException(ExceptionEnum.CM307.getResultCode(), ExceptionEnum.CM307.getResultMsg());
+        }
+        String originalFileName = file.getOriginalFilename();
+        for (Map.Entry<String, String> entry : fileTypeMap.entrySet()) {
+            if (originalFileName.endsWith(entry.getKey())) {
+                return checkFileType(file, entry.getKey(), entry.getValue());
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Type of inspection document.
+     *
+     * @param file the file
+     * @param fileNameEnd the fileNameEnd
+     * @param fileType the fileType
+     * @return true or false
+     */
+    public static boolean checkFileType(MultipartFile file, String fileNameEnd, String fileType) {
+        String originalFileName = file.getOriginalFilename();
+        String contentType = file.getContentType();
+        if (ObjectUtil.isEmpty(originalFileName) || ObjectUtil.isEmpty(contentType)) {
+            return false;
+        }
+        if (!originalFileName.endsWith(fileNameEnd)) {
+            return false;
+        }
+        if (!contentType.equalsIgnoreCase(fileType)) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Inspection file name.
+     *
+     * @param fileName the fileName
+     */
+    public static void validFileName(String fileName) {
+        if (!StringUtils.hasText(fileName)) {
+            throw new ServiceException(ExceptionEnum.CM320.getResultCode(), ExceptionEnum.CM320.getResultMsg());
+        }
+        if (!checkFileNameLength(fileName, 1, 100)) {
+            throw new ServiceException(ExceptionEnum.CM323.getResultCode(), ExceptionEnum.CM323.getResultMsg());
+        }
+        if (!filePathIsValid(fileName)) {
+            throw new ServiceException(ExceptionEnum.CM324.getResultCode(), ExceptionEnum.CM324.getResultMsg());
+        }
+        String fullFileName = getFileName(fileName);
+        if (!PATTERN_FILE_NAME.matcher(fullFileName).matches()) {
+            throw new ServiceException(ExceptionEnum.CM324.getResultCode(), ExceptionEnum.CM324.getResultMsg());
+        }
+    }
+
+    /**
+     * Check if the file name length is within the specified range.
+     *
+     * @param fileName the fileName
+     * @param min the min
+     * @param max the max
+     * @return true or false
+     */
+    public static boolean checkFileNameLength(String fileName, int min, int max) {
+        if (!StringUtils.hasText(fileName)) {
+            return min <= 0;
+        }
+        String temp = fileName.replaceAll("[^\\x00-\\xff]", "**");
+        return temp.length() <= max;
+    }
+
+    /**
+     * Verify file path.
+     *
+     * @param fileName the fileName
+     * @return true or false
+     */
+    public static boolean filePathIsValid(String fileName) {
+        if (fileName == null || fileName.trim().isEmpty()) {
+            return false;
+        }
+
+        // 获取当前操作系统的名称
+        String os = System.getProperty("os.name").toLowerCase();
+
+        // 定义通用的非法字符
+        String illegalChars = "";
+
+        if (os.contains("win")) {
+            // 针对Windows的非法字符
+            illegalChars = "[<>:\"/\\|?*]";
+        } else if (os.contains("nix") || os.contains("nux") || os.contains("mac")) {
+            // 针对Linux和macOS的非法字符（一般来说，Linux和macOS对文件名的限制较少，但有一些常见的非法字符）
+            illegalChars = "[/]"; // Linux和macOS的路径不能包含斜杠 '/'
+        }
+        // 检查路径中是否包含非法字符
+        if (fileName.matches(".*" + illegalChars + ".*")) {
+            return false;
+        }
+        // 检查路径是否超过文件系统允许的最大长度（例如，Windows上的路径限制通常为260个字符）
+        if (fileName.length() > 260) {
+            return false;
+        }
+
+        // 检查路径中是否包含空格或其他特殊字符，视需要进行定制
+        // 如果需要你也可以根据不同操作系统做不同的检查
+
+        return true;
+    }
+
+    private static String getFileName(String filePath) {
+        File file = new File(filePath);
+        return file.getName();
+    }
+
+
+}
diff --git a/base/src/main/java/com/tinyengine/it/controller/ComponentController.java b/base/src/main/java/com/tinyengine/it/controller/ComponentController.java
@@ -15,6 +15,7 @@
 import com.tinyengine.it.common.base.Result;
 import com.tinyengine.it.common.exception.ExceptionEnum;
 import com.tinyengine.it.common.log.SystemControllerLog;
+import com.tinyengine.it.common.utils.SecurityFileCheckUtil;
 import com.tinyengine.it.model.dto.BundleResultDto;
 import com.tinyengine.it.model.dto.CustComponentDto;
 import com.tinyengine.it.model.dto.FileResult;
@@ -71,6 +72,7 @@ public Result<FileResult> bundleCreateComponent(@RequestParam MultipartFile file
         if (file.isEmpty()) {
             return Result.failed(ExceptionEnum.CM307);
         }
+        SecurityFileCheckUtil.validFileName(file.getOriginalFilename());
         // 返回插入和更新的条数
         return componentService.readFileAndBulkCreate(file);
     }
@@ -92,6 +94,7 @@ public Result<BundleResultDto> bundleSplit(@RequestParam MultipartFile file) {
         if (file.isEmpty()) {
             return Result.failed(ExceptionEnum.CM307);
         }
+        SecurityFileCheckUtil.validFileName(file.getOriginalFilename());
         return componentService.bundleSplit(file);
     }
 

diff --git a/base/src/main/java/com/tinyengine/it/controller/I18nEntryController.java b/base/src/main/java/com/tinyengine/it/controller/I18nEntryController.java
@@ -16,6 +16,7 @@
 import com.tinyengine.it.common.exception.ExceptionEnum;
 import com.tinyengine.it.common.exception.ServiceException;
 import com.tinyengine.it.common.log.SystemControllerLog;
+import com.tinyengine.it.common.utils.SecurityFileCheckUtil;
 import com.tinyengine.it.model.dto.DeleteI18nEntry;
 import com.tinyengine.it.model.dto.FileResult;
 import com.tinyengine.it.model.dto.I18nEntryDto;
@@ -234,10 +235,10 @@ public Result<FileResult> updateI18nSingleFile(
         for (Map.Entry<String, MultipartFile> entry : filesMap.entrySet()) {
             // 获取对应的文件
             MultipartFile file = entry.getValue();
-
             if (file.isEmpty()) {
                 return Result.failed(ExceptionEnum.CM307);
             }
+            SecurityFileCheckUtil.validFileName(file.getOriginalFilename());
             // 返回插入和更新的条数
             result = i18nEntryService.readSingleFileAndBulkCreate(file, id);
         }
@@ -274,10 +275,10 @@ public Result<FileResult> updateI18nMultiFile(
         for (Map.Entry<String, MultipartFile> entry : filesMap.entrySet()) {
             String key = entry.getKey(); // 获取动态的参数名
             MultipartFile file = entry.getValue(); // 获取对应的文件
-
             if (file.isEmpty()) {
                 return Result.failed(ExceptionEnum.CM307);
             }
+            SecurityFileCheckUtil.validFileName(file.getOriginalFilename());
             // 返回插入和更新的条数
             result = i18nEntryService.readFilesAndbulkCreate(key, file, id);
         }